Article

Is the Heart of Your SAP System at Risk?

How Organizations Can Protect Against Malicious Cyber Attacks

by Mariano Nunez

October 1, 2013

The cyber layer is the heart of the SAP system, responsible for processing key aspects of SAP functions and applications. If it is not properly secured, a malicious attacker can exploit technical vulnerabilities and obtain control of business-critical processes and information. This article looks at how Onapsis helps its customers fight against cyber attacks and secure business-critical SAP platforms from espionage, sabotage, and financial fraud.

While most organizations rely on segregation of duties (SoD) controls to enforce their security policies and eliminate risk at the user-access layer of their SAP systems, there is an additional layer that is sometimes overlooked: the cyber layer.

If the cyber layer (that is, the SAP NetWeaver layer) is not properly secured, a malicious attacker can exploit technical vulnerabilities and obtain control of business-critical processes and information managed by the SAP platform, resulting in harmful business effects.

Protect the Heart of the Business

The cyber layer (see Figure 1) is the heart of the SAP system, responsible for processing key aspects of SAP functions and applications like SAP ERP, SAP Customer Relationship Management (SAP CRM), and SAP Supply Chain Management (SAP SCM). It is a complex collection of interconnected capabilities and, as such, has the potential to be implemented in aninsecure manner.

Figure 1 As the heart of the SAP system, the cyber layer must be properly secured and monitored

The cyber layer can also become insecure if it is not actively managed and maintained by a robust, specialized security team. Due to these factors, many organizations are not taking the proper steps to mitigate cyber-layer threats.

In addition, because of the capabilities and responsibilities of the cyber layer, it is a natural target for malicious attackers. If attackers were to breach this layer, they would be able to control the SAP environment, which would allow them to bypass the traditional SoD and governance, risk, and compliance (GRC) security measures. The organization’s sensitive business data and processes would then be compromised, leaving it susceptible to espionage, sabotage, or financial fraud activities.

To protect the cyber layer and implement a holistic security process, many organizations have turned to Onapsis X1. Onapsis X1 is an SAP-certified solution that helps organizations conduct automated application security assessments of SAP systems.

Backed by frequent updates from Onapsis Research Labs, which is composed of experts with a proven track record in the ERP and SAP security fields, Onapsis X1 detects insecure ABAP and Java configurations, missing security-related SAP Notes and patches, dangerous user authorizations, insecure interfaces between SAP systems, and threats affecting SAP Mobile Platform and the SAP HANA platform.

By following Onapsis X1’s detailed mitigation procedures, customers can increase the security level of their platform, decrease business fraud risks, and enforce current compliance requirements. Organizations that are using SAP solutions for GRC can view the security assessment data in their GRC dashboards.